Sandworm

Microsoft Threat Intelligence published research on a Sandworm (Seashell Blizzard) subgroup it tracks as BadPilot, active since at least 2021, that opportunistically exploits internet-facing appliances (notably ConnectWise ScreenConnect and Fortinet FortiClient EMS since early 2024) to establish persistent access for follow-on Sandworm operations. Targets since 2024 expanded to U.S. and U.K. organizations across energy, oil and gas, telecommunications, shipping, arms manufacturing, and government.

The U.S. Department of Justice unsealed an indictment charging six officers of the Russian GRU's Unit 74455 (Sandworm) in connection with a years-long campaign that included the 2015 and 2016 Ukraine power-grid attacks, the 2017 NotPetya outbreak, the 2018 Olympic Destroyer attack against the PyeongChang Winter Olympics, and operations against the 2017 French elections.

A destructive wiper masquerading as ransomware spread globally via a trojanized update to M.E.Doc, a Ukrainian accounting software package. Damages were later estimated at over USD 10 billion, making NotPetya the costliest cyberattack on record. The U.S., U.K., and other governments publicly attributed the operation to the Russian GRU.

Three Ukrainian regional electricity distribution companies (oblenergos) were simultaneously attacked, cutting power to approximately 225,000 customers for several hours. ICS-CERT and later attribution work tied the operation to Sandworm; this is widely regarded as the first publicly confirmed cyberattack to cause a power outage.